CVE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...

kernel: Fix of 39 CVEs

Bluetooth: hcisysfs: Fix attempting to call deviceadd multiple times CVE-2022-50419 - firewire: net: fix use after free in fwnetfinishincomingpacket CVE-2023-53432 - wifi: brcmfmac: fix use-after-free bug in brcmfnetdevstartxmit CVE-2022-50408 - wifi: brcmfmac: slab-out-of-bounds read in...

Node.js security vulnerabilities

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. There are security vulnerabilities in Node.js, where the error related to the maximum call stack size when enabling asynchooks.createHook makes it impossible to catch certain exceptions,...

MiracleLinux 8 : firefox-91.4.0-1.el8.ML.1 (AXSA:2022-2971:02)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-2971:02 advisory. Mozilla: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4 Mozilla: URL leakage when navigating while executing asynchronous function...

CVE-2025-15466 Image Photo Gallery Final Tiles Grid <= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with...

CVE-2025-14463

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint wppaypalcheckoutajaxprocessorder that processes checkout results without any authentication or...

CVE-2025-14463 Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint wppaypalcheckoutajaxprocessorder that processes checkout results without any authentication or...

CVE-2025-15403 RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'addmenu' function is accessible via the 'rmuserexists' AJAX action and allows arbitrary updates to the 'adminorder' setting. This makes it possible f...

CVE-2025-14075 WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotelbookingfetchcustomerinfo' AJAX action to unauthenticated users without proper capability checks, relying only on a...

CVE-2025-14075

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotelbookingfetchcustomerinfo' AJAX action to unauthenticated users without proper capability checks, relying only on a...

PT-2026-3343

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint wppaypalcheckout ajax process order that processes checkout results without any authentication ...

CVE-2025-14757 Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the completepayment AJAX action being registered via wpajaxnopriv,...

CVE-2025-15265

A flaw was found in Svelte. A remote attacker can exploit this Cross-Site Scripting XSS vulnerability during asynchronous hydration by providing specially crafted input. This input, when processed, allows for the injection of arbitrary JavaScript into a user's browser due to improper escaping of...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003950)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003950 advisory. An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hciuartregisterdev fails in hciuartsetproto in...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003733)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003733 advisory. TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003706)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003706 advisory. An issue was discovered in aiopoll in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aiopollwake if an expected event is triggered immediately...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003725)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003725 advisory. TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000867)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000867 advisory. The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows loca...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000805)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000805 advisory. Integer overflow in the aiosetupsinglevector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecifie...

MiracleLinux 7 : chrony-2.1.1-1.0.1.el7.AXS7 (AXSA:2015-927:01)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2015-927:01 advisory. A client/server for the Network Time Protocol, this program keeps your computer's clock accurate. It was specially designed to support systems with...